Governance and Compliance
B2–B8 built the technical controls. They are necessary but not sufficient. CISOs, governance councils, and boards release budget and approval against frameworks — NIST AI RMF, ISO 42001, the EU AI Act — not against a working guardrail. This module is where a control you built becomes the control an auditor signs off on, the AI BOM procurement accepts, and the audit trail a regulator reads. The governance-to-engineering bridge: policy → control → test → audit.
Technical security (B2–B8) is necessary but not sufficient for enterprise adoption. A CISO does not approve production deployment because a guardrail works; a board does not allocate budget because a red-team found the right gaps. They approve and allocate against frameworks — NIST AI RMF, ISO 42001, the EU AI Act's conformity obligations — because those are the instruments their auditors, regulators, and insurers read. The budget and the board attention follow the governance layer. An agent that passes engineering but fails governance does not ship.
NIST AI RMF (AI 100-1) is voluntary in law and mandatory in practice. Its four core functions — Govern (policy, accountability), Map (context, risk surface), Measure (test, evaluate), Manage (mitigate, respond) — operate as a continuous loop. The B2–B8 controls map directly onto them: Govern → policy-as-code (B11.3) + scope file (B0); Map → threat model (B1) + AI BOM (B11.2); Measure → injection rates (B2) + OWASP (B9) + Microsoft taxonomy (B10); Manage → tool governance (B3) + sandbox (B6) + observability (B8). A governance review is not a re-test of controls — it is a request for evidence the mapping is documented.
The AI BOM and the audit trail are the two artifacts every framework asks for first. The AI BOM is the SBOM extended to AI — an inventory of the model (checkpoint, license), training data (provenance, PII), tools/MCP servers, dependencies, config, and external services. An agent without an AI BOM cannot be audited: a vulnerability cannot be traced, a model-version dispute cannot be resolved, a compliance assertion cannot be evidenced. The audit trail is the complete, append-only, tamper-evident record proving controls are enforced, not just documented. EU AI Act Art 12 and HIPAA § 164.312(b) both require completeness — a sampled observability log is useless for compliance.
Policy-as-code is the governance-to-engineering bridge: policy → control → test → audit. A policy in a wiki has no runtime effect; policy-as-code compiles it to a deterministic rule enforced in the harness execution path, where the agent cannot reach it (DD-09 NemoClaw), with zero LLM at runtime (DD-20 IronCurtain), emitting an audit entry for every evaluation. The engine uses default-deny (a missing policy is safety, not openness), policy-aware redaction (B0 retention discipline), and the AI BOM as a policy input. This is the loop, not the pipeline — a static policy document is the loop frozen at stage 1.